Home

Further Evasion in the Forgotten Corners of MS-XLS

It’s been a few weeks since my last discussion1 of Excel 4.0 macro shenanigans and the space continues to change. LastLine published a great report2 which summarized the progression of weaponized macros from February through May. The good folks at InQuest have continued3 identifying4 malicious5 macro documents6. @DissectMalware‘s excellent XLMMacroDeobfuscator7 has massively expanded its range … Continue reading Further Evasion in the Forgotten Corners of MS-XLS

Evading Detection with Excel 4.0 Macros and the BIFF8 XLS Format

Abusing legacy functionality built into the Microsoft Office suite is a tale as old as time. One functionality that is popular with red teamers and maldoc authors is using Excel 4.0 Macros to embed standard malicious behavior in Excel files and then execute phishing campaigns with these documents. These macros, which are fully documented online, … Continue reading Evading Detection with Excel 4.0 Macros and the BIFF8 XLS Format